Directors and a culture of risk

Thursday, 01 May 2014


    Neill Buck has 10 key messages for boards on how to manage their organisation’s risk culture.

    How do you know what the culture of risk in your organisation looks like? Who is going to tell you when it is not right? How do you ensure that the amount of risk being taken is both procedurally and behaviourally consistent with the board’s risk appetite?

    If you do not know the answer to these questions then you may find yourself embarrassed when the media reports the issue before you hear about it.

    Every organisation has a culture. The culture of risk is a key accountability for boards to ensure they give effect to the board’s risk appetite through controls and behaviours.

    First, the board needs to ensure that everyone in the organisation understands what is acceptable and unacceptable in line with the risk appetite.

    Creating and communicating the risk appetite is the precursor to establishing procedures to ensure that controls and behaviours are aligned across the organisation.

    How does a director know that the risk culture is in fact working?

    To start with, the board must understand that the culture of risk is a manifestation of the behaviour of the board, executives and managers.

    Importantly, a key indicator of a culture of risk is a recognition of the organisation’s capacity to succeed and fail.

    Similarly, if staff are treated badly or bullied, there may be a disconnect between the board’s view on the culture of risk and what happens in the organisation.

    Establishing and sustaining a culture of risk is hard. In his 2009 report on the crash of an RAF Nimrod aircraft in Afghanistan, Charles Haddon-Cave QC listed the following issues:

    • The “can do” attitude and the “perfect culture”.
    • Imposition of business principles.
    • Cuts in resources and manpower.
    • Dangers of outsourcing to contractors.
    • Dilution of risk management processes.
    • Dysfunctional databases.
    • PowerPoint engineering.
    • Uncertainties as to out-of-service date.
    • Normalisation of deviance.
    • Success engendered optimism.
    • The few - the tired.

    This list is common to many business failures. Yet, directors are surprised when these issues occur.

    In general, the following are key factors in creating a poor risk culture in an organisation:

    • Group think – where the group thinks everything is fine and avoids completion or the hard decisions.
    • Lack of in-depth defences – not understanding that multi-layered organisational process and behavioural defences are essential to reduce the opportunities for failure.
    • Confirmation bias – the group confirms a particular bias without stopping to ask why. This reflects, among other things, a lack of a reporting culture.
    • Tunnel vision management – where management can only see what it wants to see without recognising its capacity to fail.

    How do directors know that these approaches are operating in their organisations?

    First, they need to examine whether these four characteristics are operating in the boardroom. Then, the board risk (and audit) committee should drill down to see if they are operating in the organisation.

    Directors should expect to be told the truth and not have the truth sugar coated. Without the right risk culture, small and then larger issues will emerge over time. Directors need to be confident they have effective reporting processes.

    Take a look at the culture survey. Are the following questions being asked?

    • If I report will I be treated fairly?
    • Will the organisation learn from the experience?
    • Are we capable of adapting to issues that emerge in these surveys?

    One very effective tool in assuring the right culture is to make managers and executives accountable for achieving results at, say, 80 per cent – a reasonable level, in my experience.

    There will always be people who do not agree and they should have the opportunity to be heard.
    In the end, however, the board must be confident that it has a just culture where everyone is treated fairly. The best test is what happens to whistle-blowers in your organisation.
    In many cases, they leave or are bullied. In a number of cases, they have commited suicide.

    If this happens, we often suspend belief and listen to managers who look convincing.

    At times they are, but sometimes it is a veneer that you need to get behind.

    One of the best questions to ask is: Is this the way we do things around here when no one is looking?

    Yes, the test of the risk culture comes when no one is looking.

    It is never easy to create and sustain a risk culture.

    Process risk is much easier to manage and measure. But if you do not manage the risk culture then, regardless of process reports, behaviours will bring you unstuck.

    You cannot leave this issue alone because it only takes one person to destroy years of work.

    Be prepared to ask hard questions about behaviour and do not accept answers that give you no confidence. If you are not sure ask again.

    You will be amazed how not accepting the first answer forces people to think about the organisation’s culture of risk.

    10 tips for managing your risk culture

    • Nothing focuses the mind like a big fraud.
      Learn from breaches, incidents and near misses – failure to learn is the biggest failure of all. If you think this is expensive, wait untill the plane crashes.
    • Speak up and be honest. If you know it is too risky, can’t be done or just plain wrong, speak up.
    • Reality is better than any simulation. Models are only models so the closer to reality your simulations and training come, the better. Real life is better than multiple choice.
    • Standard operating procedures drive success. Good habits, standard procedures and embedded good practice work. Chaos just makes the crisis bigger.
    • Beware of unintended consequences. Be wary of people who want to simplify complex processes and who don’t listen to good advice, and of the chasm between cause and effect.
    • Stuff happens. Ensure you are not surprised when bad things happen, no matter how good your systems and controls are. There are always the lurking known unknowns and unknown unknowns.
    • Risk and compliance managers need loud voices and thick skins. Make the tough calls and communicate with them up and down. Don’t take it personally.
    • Systems and procedures are only as good as the behaviours of those working with them. The best systems are also people dependent. Find the right culture and embed it.
    • People are rarely fully committed unless they know it will hurt if they aren’t. Robust systems and good behaviours need to be supported by accountability, but the carrot should always come first before the veiled big stick.
    • Remember why you implemented the systems and controls in the first place. Avoid the short-term memory loss that allows you to discount the risks and repeat the mistakes of the past – nothing focuses the mind like a big fraud. Start again at message 1 above.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.